GoPIX Banking Trojan: A New Threat to Brazil's PIX Payment System
Executive Summary
In December 2022, the GoPIX banking Trojan emerged, targeting users of Brazil's PIX instant payment system. Disguised as a WhatsApp Web installer, it spread through malicious ads, leading victims to download malware that intercepts and manipulates PIX transactions. GoPIX employs sophisticated techniques, including IP Quality Score's anti-fraud tools, to evade detection and ensure successful infections. (usa.kaspersky.com)
The rise of GoPIX underscores a growing trend of cybercriminals exploiting popular payment systems in Latin America. Its advanced evasion methods and focus on real-time transaction manipulation highlight the need for enhanced security measures and user awareness to combat such evolving threats. (usa.kaspersky.com)
Why This Matters Now
The emergence of GoPIX highlights the increasing sophistication of cyber threats targeting financial systems, emphasizing the urgent need for enhanced security measures and user vigilance to protect sensitive financial data. (usa.kaspersky.com)
Attack Path Analysis
The GoPix banking Trojan initiates its attack by leveraging malvertising campaigns to lure victims into downloading malicious installers. Upon execution, the malware employs obfuscated PowerShell scripts to load its components directly into memory, thereby evading traditional disk-based detection mechanisms. It then establishes a man-in-the-middle position by injecting a malicious Proxy AutoConfig (PAC) file and a trusted root certificate into the browser, enabling interception and manipulation of HTTPS traffic. The malware communicates with command and control servers that have short lifespans to receive further instructions and updates. Finally, GoPix exfiltrates sensitive financial data, including Pix transactions and cryptocurrency wallet addresses, by monitoring clipboard activity and replacing copied data with attacker-controlled information.
Kill Chain Progression
Initial Compromise
Description
GoPix gains initial access through malvertising campaigns, directing users to download malicious installers disguised as legitimate software.
MITRE ATT&CK® Techniques
Application Layer Protocol: Web Protocols
User Execution: Malicious Link
Command and Scripting Interpreter: PowerShell
Signed Binary Proxy Execution: Rundll32
Masquerading: Match Legitimate Name or Location
Modify Registry
Subvert Trust Controls: Code Signing
Screen Capture
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – User Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
Primary target of GoPix banking Trojan with man-in-the-middle attacks intercepting financial transactions, requiring encrypted traffic controls and egress security.
Financial Services
Critical exposure to sophisticated Brazilian banking malware targeting Pix transactions and cryptocurrency wallets through malvertising and certificate injection attacks.
Government Administration
State government financial bodies specifically targeted by GoPix threat actors, requiring zero trust segmentation and enhanced visibility controls.
Information Technology/IT
Infrastructure providers vulnerable to memory-only implants bypassing traditional security through PowerShell obfuscation and process injection techniques requiring Kubernetes security.
Sources
- Free real estate: GoPix, the banking Trojan living off your memoryhttps://securelist.com/gopix-banking-trojan/119173/Verified
- Kaspersky crimeware report reveals new Rhysida ransomware, Lumar stealer and GoPIX banking malwarehttps://usa.kaspersky.com/about/press-releases/kaspersky-crimeware-report-reveals-new-rhysida-ransomware-lumar-stealer-and-gopix-banking-malwareVerified
- Golpe redireciona agora pagamentos via PIX, empresas e consumidores são alvoshttps://www.kaspersky.com.br/about/press-releases/golpe-redireciona-agora-pagamentos-via-pix-empresas-e-consumidores-sao-alvosVerified
- New Banking Trojan Targeting 100M Pix Payment Platform Accountshttps://www.darkreading.com/cyber-risk/new-bank-trojan-targeting-100m-pix-payment-platform-accountsVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to the GoPix banking Trojan incident as it could likely limit the malware's ability to move laterally, establish command and control channels, and exfiltrate sensitive financial data, thereby reducing the potential blast radius of the attack.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Aviatrix CNSF may not directly prevent initial compromise via user actions like downloading malicious installers.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation could likely limit the malware's ability to escalate privileges by restricting unauthorized script execution paths.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security would likely limit lateral movement, though in this case, the malware remains on the initial host.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control could likely limit the malware's ability to establish command and control channels by detecting and restricting unauthorized outbound communications.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement could likely limit data exfiltration by restricting unauthorized outbound data transfers.
Aviatrix CNSF could likely reduce the overall impact by limiting the malware's operational scope and data exfiltration capabilities.
Impact at a Glance
Affected Business Functions
- Online Payment Processing
- E-commerce Transactions
- Financial Data Integrity
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of payment transaction data and customer financial information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Deploy Zero Trust Segmentation to enforce least privilege access and limit the potential impact of compromised systems.
- • Utilize Multicloud Visibility & Control to gain comprehensive insights into network traffic and detect anomalous behaviors indicative of compromise.
- • Apply Inline IPS (Suricata) to identify and block known exploit patterns and malicious payloads in real-time.
- • Establish Threat Detection & Anomaly Response mechanisms to promptly detect and respond to suspicious activities within the network.
